Researchers Reveal Vulnerabilities of Telepresence Robot

New research from Zingbox has detailed vulnerabilities in telepresence robots that hackers could use to access sensitive data, including chat conversations, images, and live video streams.

Initially discussed at the RSA security conference in April 2018, Zingbox said its security researchers worked with manufacturers to discover five Common Vulnerabilities and Exposures (CVEs), which ranged from unprotected credentials to unauthorized remote access. The company said it is releasing the details of the vulnerabilities now that manufacturers have had a chance to address the issues.

“While much of the burden of ensuring device security falls on the healthcare providers, the collaboration between device manufacturers and security vendors is a critical component to assist healthcare providers,” said Daniel Regaldo, principal security researcher at Zingbox, and co-author of Gray Hat Hacking. “I commend the quick actions by the device manufacturers, which enable us to share additional details regarding this vulnerability and educate the industry on the latest cyber threats.”

Regaldo said it was highly probable that other telepresence robots could have the same mistakes in implementation as the Vgo.

“It is hard to say if other robots would be affected by the same vulnerabilities without testing them,” he said. “However, the bugs identified in Vecna’s robot are related to common technology used across IoT devices, meaning firmware updates, shell command injection, and USB Autorun.”

The report said there were several key lessons from the tests, including:

As with IT security, it is important to involve Internet of Things security from the design phase of product development.

IoT devices need physical interaction with humans by design, so physical security needs to be improved.

IoT manufacturers and security researchers need to start collaborating more closely. Bug bounty programs are the best approach in this regard.

Trigger real-time alerts so security teams can take actions immediately, and network devices can react accordingly.

Zingbox is offering the full report here for a free download. Robotics Business Reviewhas reached out to Vecna Technologies to get more details on the pending patch schedule, and we will update this story once we hear back.

Keith Shaw is the Editor for Robotics Business Review. Prior to joining EH Publishing, he worked as an editor for Network World, Computerworld and various newspapers across Massachusetts, New York, and Florida. He holds a degree in journalism from Syracuse University.